The inside cover had a full-page ad for Delphi Internet
(www.delphi.com)

Pages 2 and 3 had full-page ads for Laitron Computers.

Editor's Notes

BABBA is the first regional BBS magazine on the West Coast.
We started a trend - because similar magazines are in
the works.

The Bash Continues

When we started BABBA, the conventional
media was bashing BBSs. We founded this publication as
an objective source of BBS information.
As we move into our second year of publication, we are
saddened by a fresh round of BBS bashing from our local paper.

The local paper recently warned parents about the danger in letting
their children (and teenagers) dial up a local BBS, such as those
listed in "freebie" papers.
The story indicated local BBSs could allow kids to get X-rated
materials or be exposed to abusive adults. Of course, the story
linked local BBSs with a potential for bestiality and "kiddie" porn.

The newspaper once again steered readers toward the belief that
only giant online commercial services are safe.
Small and medium-sized BBSs (and this magazine) have nothing
against the giant online services. We do resent being classified as
unsafe, or as being the sole source of adult material.

The BBSs and online services listed in BABBA keep children away from
adult material and abusive adults. All have strict controls on
adult material, and none have anything to do with child porn or
bestiality.
Should parents be careful as to what their child does online? - Of
course, but local BBSs are no more dangerous than the commonly
promoted online giants.

The Internet-BBS Connection

Recent advances in commercial, shareware, and freeware software have
made it easier and less expensive for BBSs to offer Internet mail.
Relatively soon, BBSs will be able to offer full Internet service.
BBSs have already reduced the real-time load on the Internet
network. BBSs are a valuable tool to keep the lanes on the "highway"
open.

Burger King BBSs

Most commercial BBS software packages are moving in the direction of
complete customization. This trend is more significant than even
RIP graphics. As time permits, Sysops will be able to custom design
their BBSs to their exact specifications.
Some say this will confuse the callers, with each BBS having a
different interface. We predict this new configurability will lead
to focused online systems that are easier to understand.

Page 4 had ads for the Bay Area Mega Board,
the Silicon Matchmaker
(www.silicon.email.net),
and the Tiger Team Information Network.

Questions Letters Comments

Q: Have you ever heard of a crack for the various PC remote-control
applications, like (PC Anywhere), or (Carbon Copy)? Is it possible to
crack through their security? I'd like to know because I may put one
on our network, and I'd hate to have anyone hack their way through.

A: As far as we know, these products are safe. To protect against
a chance of "outside" hacking, you can set your modem to answer on the
7th ring, for example. This may discourage the random-dialing
criminal hackers.
For ultimate security, get a call-back modem. These modems get a
call, accept a password, and then dial out only to a pre-approved
list of phone numbers.

Anyone that knows of any special risks or precautions on the
above-named software packages, please contact us.

Q: Why do BBS callers tend to have such poor grammar?

A: In the online world, function usually wins over form. Some
considered it wasteful to spend time creating perfect grammar.
When typing a message in a full-screen editor, coherent well-formed
sentences, grammar, punctuation, and spelling are all good ideas. In
a single-line editor, it can be difficult to go back and correct
mistakes.

When you are chatting with someone online, typing "catch yuo latr, im
goinng to sleep now!" gets your point across. Some would argue that
it would waste time to backspace and correct mistakes if the
meaning is clear.

Q: Our local newspaper recently ran front-page articles featuring
Vice President Al Gore and Governor Pete Wilson in staged chat
sessions with the general public. Gore's session was on Internet,
and Wilson's over America Online. Both sessions seemed to be dismal
failures. Why did these chat sessions turn out to such fiascoes,
and why do you think they were covered with such vigor? (RG, San
Jose)

A: Real-time online chat is no place for practical discussions with
political figureheads. Online chatting requires
time and practice to master. It's not the fault of the politicians,
placed in the spotlight, that they were inundated with rapid-fire
questions from anonymous sources. The governor couldn't type one
reply without a multitude of interruptions. It was as if the governor
appeared in public in a dark room without security,
advisors, or a megaphone. He'd get drowned out by hecklers, just as
he was online.

Your local newspaper editors should know better, especially when
their guest and his encounter with the online world will be
publicized. Next time, they should establish some filters, perhaps
replacing chat with an email conference for the guest.

C1: I can answer the question from L.K. in last month's issue, about
not being able to find 14.4 kbps in the software settings. For
modems having:

V.42bis: Set the port speed equal to 4X the modem's highest connect
speed. Turn off autobaud detect. You will probably find a 57.6 kbps
setting in the software. That is 4X 14.4 kbps, the usual setting for
14.4 kbps modems since they all have V.42bis. With an external
modem, you may need to upgrade your serial card's UART chip to
achieve the 57.6 Kbps.

C2: Turning off autobaud detect is not a "by the way" bit of advice;
it's absolutely essential in order to take advantage of any type of
data compression. Autobaud detect tells the comm software to
automatically match the port baud speed to the actual connect speed
detected. If you do this on a compressed-data connection, you will
never realize the benefits of data compression; data will move from
PC to PC only at the modems actual connect speed. (David Hakala)
A: Thanks Dave!

Q: What kind of computer(s) are used to produce this magazine?

A: Most articles and artwork arrive via modems connected to our
IBM-PC based BBSs, or through the Internet. Preliminary (plain
ASCII) editing is done on PCs. All "final" production work (and all
BBS databases) are done with on
Apple Macintosh computers.

Page 5 had ads for the Travel Connection BBS,
the Fun University Network
(www.wbs.net),
and the Terminal One, Weasel Den 2, and
iNFormation Exchange BBSs.

"BABBA BITS"

Ondex Online

In Mountain View, CA, the Ondex
company has started its new Ondex
online service database. Ondex is an
online database of BBSs and Usenet
newsgroups. Free to the caller,
fees to Sysops listing with Ondex
range from free to $10-20 a month.
Callers can specify and search for
the exact features (keywords) and
find just the right online
services.

New EFF Sysop Memberships

EFF (Electronic Frontier Foundation,
www.eff.org) is the primary
group standing up for the rights of all
online services, protecting our constitutional
rights. Membership in the EFF is normally
$40 a year. The EFF is now offering a special
$10 (tax-deductible) introductory (first
year) membership rate for BBS Sysops.
(This has long-expired.)

Members receive a subscription to EFF's
biweekly electronic newsletter, their quarterly
hardcopy newsletter, and access to their BBS.
Sysop members also get a special
diskette with some of EFF's most popular
resources, which can be posted for distribution,
as well as ASCII and ANSI EFF membership screens.
Sysops can also access EFF's (The Outpost) BBS
and join their (FTN and QWK-format) echomail network.

New/Upcoming BBS software

Judging from the press releases, it seems most
commercial BBS packages are undergoing major
revisions with tons of new features being added.
Each package has or will soon release many
new features. Rather than listing all
the features, here are our opinions
of the most useful new features on
each package we've seen:

TBBS UltraChat is
eSoft's (www.esoft.com) new
UltraChat extension
to their TBBS package lets a Sysop link a BBS
to other BBSs. UltraChat is so configurable,
it lets you emulate the chat features of any
other BBS software package.

BABBA hits Madera

Thanks to Jack Porter of
the ZDS-Online BBS, BABBA
is distributed in Fresno and Madera. ZDS-Online
will be at booth 5 at the April 7th Business
Extravaganza at Hatfield Hall in Madera.

Skipjack: Policy and Technology

Skipjack (formerly called Clipper) is a method for scrambling
digital telephone connections (both voice and data) to thwart
snoopers. It has been promoted by two government agencies and if
passed into law, it would require all government phone-based
communication equipment to use a style of encryption developed by
the military and kept secret from the public. The government would
hold decoding keys in escrow to access encrypted phone traffic.

Born of Fear

The encryption proposal was born of fear by law enforcement agencies
that it was becoming technically impossible to wiretap digital phone
lines. The FBI is alarmed that criminals could have private
conversations without the fear of being heard. Introduced in 1991,
the Senate anticrime bill (SB 266) would have required phone
companies to convert subscriber's digital transmissions to analog
for access by law enforcement agencies. This proposal died in
committee.

Rebirth

The FBI, unable to find a congressional sponsor, brought its case to
the new administration. On April 16, 1993, President Clinton
announced the new initiative, a mix of policy and technology
originally named Clipper. Because of trademark infringement, the
technology has been renamed Skipjack, although the policy is
commonly called Clipper.
The initiative was presented as a way to balance the need for secure
(encrypted) public communications and the need for law enforcement
agencies to be able to decipher those coded communications.

In trying to head off the arrival of privately-developed encryption
products that would effectively prevent law enforcement from
listening in, the government is proposing we (at first?)
voluntarily use a single encryption method (Skipjack), with the
keys to be kept in escrow by two unnamed agencies (either government
or private).
The administration proposes placing a computer chip in each product
that operates over digital phone lines (modems, computers, phones &
fax machines). The chip comes from the National Security
Administration (NSA), which is chartered with listening in on phone
conversations, here and abroad.

Policy

Clinton's policy uses the economic power of the government to
strongly encourage the rest of us to use Skipjack. Initially
voluntary, plans for implementing Skipjack in modems and phones are
moving forward. Expect Skipjack to become a federal standard this
year, gradually replacing an older, government-developed encryption
standard called DES.

The first products to use Skipjack will be telephone security
devices built by AT&T for the FBI, the IRS, and local law
enforcement agencies, among others.
As the government funds the National Information Infrastructure (the
data superhighway), it will use Skipjack as the method for ensuring
private, secure communications.

The second prong of the proposal lies in the Digital Telephony bill,
which has not yet come before Congress. This bill gives law
enforcement agencies the authorization to wiretap Skipjack-encrypted
communications. The vagueness of the wording and the wiretap
methodology have generated much controversy.
The NSA refuses to divulge the detailed algorithm for Skipjack,
another source of controversy.

The decryption keys for every Skipjack device in the country would
be kept in escrow by two unnamed, independent agencies, either
government or private. The idea is if a government agency wants to
listen in to a particular Skipjack-encoded conversation, it would
present evidence of lawful authority (a term not clearly defined)
to the escrow holders. Once they have the decryption keys they can
crack the code and begin listening to the subjects conversations,
with the required help of the phone company that carries the
transmission.

Technology

The Skipjack chip will initially be manufactured by Mykotronx and
VLSI Technology. Each chip will have a permanent key and a
serial number that identifies the chip (and its owner) during
communications. Installed in new phones or other telecommunications
tools, the encryption turns any conversation into gibberish for all
but the intended listener.

Like DES, Skipjack uses 64-bit blocks, and the chip supports all
four DES modes of operation. Some consider Skipjack more secure
than DES because the key size is 80 bits as compared with 56, and it
uses 32 rounds of scrambling instead of 16.

Rumors

A rumor is floating around that the government will make all other
encryption illegal. A variation on that rumor is that only (e.g.)
32-bit or higher encryption methods will be illegal, as anything less
than 32-bit
encryption can easily be cracked by powerful computers. Some
consider the pending Digital Telephony bill to be even more of a
"threat" than Skipjack.

Opinion:

Perhaps taxation is another reason for
imposing Skipjack (and electronic currency) on us. The IRS would
certainly be interested in any private transactions across the
Internet.
Another point is that, yet again, we are denied an opportunity to
vote on an important issue that affects us all.
We rarely get to vote on really important long-term issues.
Ideally, our elected and appointed officials would prepare a few
intelligent alternatives for the voters to choose - including none of
the above.

Humor:

If you think using data compression products like
DoubleSpace slow the performance of your computer, wait until you
try encrypting and decrypting on the fly!

What's Wrong With Skipjack

Skipjack (formerly known as Clipper) is the popular name for an
ill-advised encryption standard that the government is trying to
force on all of us. The government will require all computers,
modems, and phones it buys to include Skipjack technology.

Skipjack is opposed, nearly unanimously, by industry, watchdog
organizations, and ordinary citizens. Despite this, the Clinton
administration is pushing ahead with their original plans.

No Expectation of Privacy

There are several good arguments against forcing encryption on the
communications of an open society. Public communications in online
services, bulletin boards and email are not private and have
rarely been encrypted in the first place. You sometimes see
notifications to this effect when you log in:

Pursuant to the Electronic Communication Privacy Act of 1986 (18
U.S.C. 2701 et seq.), notice is hereby given that there are no
facilities provided by this system for sending or receiving
private or confidential electronic communications. The operators of
this BBS can read all messages left on this system, including
Electronic Mail addressed to persons other than the system operators.

This message notifies the caller that email on that system is not
private. It is the digital equivalent of a postcard: Anybody who
handles the contents or manages the system usually can't help but
read it. Would you send money, your credit card information,
discussions of business negotiations, or intimate details of your
love life via a postcard?

Your Sysop is not to blame for this lack of privacy. Many BBS
packages lack the ability to keep messages private from the Sysop.
Sysops are usually held responsible for what is placed on their
systems. This situation mandates that Sysops preserve the ability
to completely access any message on their system.

Optional email security is needed

The authenticity of online messages is problematic because email
and messages can easily be forged by any person with access and
motive. This can have results ranging from mild embarrassment of the
victim to breakups of businesses or marriages.

The nature of networked email is that it resides on many systems on
its way to the destination. At any of those systems there are a
number of persons with high-level system access. While most Sysops
and system administrators are ethical and wouldn't edit your email
without a user request, or to correct a mail routing problem, all
it takes is one bad apple, and that person doesn't even have to be at
your local site.

Proving You are You

Paper envelopes leave traces when opened surreptitiously, but today's
electronic mail can easily be read, modified, or copied without the
user ever finding out.
Encryption technology provides a secure digital envelope to protect
your message before it hits the bit stream.
Encryption can also provide unforgeable message authentication, even
for the unencrypted text messages you post in public networked
conferences.

Some hobbyist networks, such as RIME and some FIDO nodes,
explicitly forbid the use of digital encryption. I believe Sysops
should be free to impose any policy that amuses them on their
systems, as long as it is consistent with federal law. As callers,
we can choose whether or not to patronize a BBS based on those
policies. I don't patronize online systems that forbid the use of
digital encryption. "Trust us" in terms of email privacy is not
acceptable to me.

Encryption is Coming

Within the next few years, transparent encryption & decryption of
email on major public systems will be taken for granted. For the
home PC, transparent encryption of files may be built into the
motherboard or the hard drive controller. With the coming
interactive cable TV systems, you'll be able to push a few buttons
and order a product on one of the home shopping channels and pay
with encrypted credit card numbers.

If encryption is a good idea...
What's wrong with Skipjack?

Skipjack has serious competition as encryption technology. RSA
(Rivest, Shamir, Adelman) is an internationally recognized, robust
encryption algorithm used for key transmissions. A key is the
information required for the recipient to unscramble an encrypted
message.

You can bet that foreign computers will be using RSA-based key
encryption.
The problem with Skipjack (or more properly, the technologies based
on the Skipjack algorithm) is our government holds copies of all
private keys from the manufacturers of computers, modems and phones.
Europeans have no interest in Skipjack technology
because the US government will be holding the keys.

The government agencies will turn over your key to any law
enforcement agent who submits a request that says that there is a
warrant for the key. The agent is not required to produce the
warrant.
The government has stated they will process these requests within a
few minutes, once the system is in place and fully up to speed. This
means that these requests cannot be checked for veracity. While
wiretaps, in theory, will still require a warrant, an agent willing
to lie to get a key isn't going to be worried about tapping a phone
illegally.

Is it Secure?

In the old days of cryptography, you kept your coding methods secret -
knowing that if the bad guys found them out, you'd have to change
your methods. Currently, secure encryption is usually tested by
publishing your algorithm and defying anybody from the academic,
amateur and professional cryptographic or mathematic community, to
find a hole. If many people try and fail, you know your method is
probably secure.

Unlike other methods, critical parts of Skipjack's algorithm remain
classified, suggesting there may be big problems with it. How big?
I don't know. If the Skipjack algorithm is not secure, it isn't just
dishonest cops or a rogue government agency you have to worry
about.
I wouldn't be surprised if within a year of Skipjack going into
general use, a file called KRAKSKIP.ZIP starts appearing on BBSs
with everything a 14-year old "hacker" (for lack of a better word)
needs to tap your Skipjack-secured phone or to read your email.

Once it's out, that file will be online everywhere. The Feds and
other police agencies will probably use the potential existence of
that file as an excuse to harass quite a few US BBS Sysops,
demanding access to make sure that nothing illegal is going on.

Suppose, after we've been Skipjacked and it's been cracked, that your
credit gets attacked. What will you do when your account reports a
mysterious one-way trip to the Cayman Islands, a nice computer
system, and a few thousand dollars of spending money? The Feds will
say the communications channels encrypted by Skipjack are secure,
that the burden of proof to your credit provider is yours!

If Mr. Clinton has his way, our systems will be using Skipjack.
Skipjack-based systems will not be compatible with the rest of the
world, who will properly see our computers as security risks. Does
the president think we can impose our encryption standards on the
world?

How would you like to try selling a mainframe to the Italian
government, telling your prospect, "Of course our machine is secure -
we use Skipjack". The potential customer would laugh while security
escorts you out of the building! If any potential customers don't
know about Skipjack's origin, our competitors will be telling them
in full-page ads. "Free spy in every American computer."

Mandatory Compliance

The Clinton administration has announced that Skipjack is now a
federal standard. It is wasting our money buying these chips in
quantity, and it will use every form of economic pressure it can to
force manufacturers to adopt it so you have no choice but to buy
their Skipjacked products.

Will non-Skipjack methods of protecting your privacy become illegal?
When asked, officials say, "Not at this time", using vague
generalities. Can non-Skipjack methods of cryptography be made
illegal? Probably. Can this be enforced? Very possibly,
monitoring equipment could be used at telephone company central
switches to sniff for forbidden crypto modes using pattern
analysis, and could either block the messages, or store and forward
them to the National Security Agency.

The justification used by the Clinton administration, the FBI, CIA,
NSA, and other "spook shops" is that it'll help them catch drug
dealers and terrorists. They go on to say that only stupid
criminals will use their technology because it's known that the
government can listen in. This basically is an admission that the
only real reason for it is to allow the government to go on fishing
expeditions in mailboxes and telephones for almost any reason.

"Big Brother Inside" is one way to describe this. This is the worst
threat to civil liberties I've seen since the Nixon era. Skipjack
could make impossible any political or religious organization the
government doesn't like. When the government controls your
communications, people can't talk to each other because it isn't safe.

Not Just Us

It isn't just computer scientists, the ACLU and we cyberspace types
who oppose Skipjack. Apple, Microsoft, IBM, and other companies
want Skipjack dumped as well, feeling that Skipjack will translate
into billions in foreign export sales losses, and thousands of job
losses over the next few years. The economic impact will affect
each citizen no matter what he or she does for a living.
AT&T developed the first telephones for the government with Skipjack
built-in. Even so, AT&T is publicly opposed to Skipjack being forced
on us.

What can You do about this?

The war against Skipjack isn't over, despite the administration
making it a federal standard.
If you want the Clinton "Skipjack" future, just sit and do nothing.

Congress needs to be encouraged to
yank any government funding for implementing the Skipjack program in
any form.
If you have Usenet access, read the alt.privacy.clipper newsgroup.
If not, keep an eye on the press, both newspaper and trade. They
are covering this critical issue closely. If your favorite computer
magazine does not cover Skipjack, write or telephone or email them
and demand that they do.

Complain to your congressperson over the phone and by mail. Don't
talk privacy - talk loss of sales by US companies to foreign
competitors due to Bill Clinton and the FBI's insistence on adding
the electronic spy chip called Skipjack to US computers, phones and
modems.

Also, tell your representative to vote YES on HR 3627, a measure
allowing US companies to sell crypto technology overseas legally.
Encryption is already widely available in most places in the world.
Passing HR 3627 would damage the administration case for
Skipjack even further. If you're writing, you might enclose a copy
of this article.

Who to contact:

(Remember, this article appeared April 1994, so
don't email these people about these issues when you read this on the web.)

president@whitehouse.gov
vice-president@whitehouse.gov

Use a message title like "DUMP SKIPJACK" and a brief text message
suggesting their continuing to push Skipjack will result in another
GOP vote in '96 is all that's needed. These messages are counted - not
read in detail.

clipper.petition@cpsr.org

Send the message "I oppose Skipjack". This is an electronic petition
that the Computer Professionals for Social Responsibility is
circulating against Skipjack.

leahy@eff.org

Senator Leahy needs your support in getting a Senate investigation
of Skipjack. This will force the administration to explain just why
they want to do this stupid thing to the American people. Show your
support, and tell Senators Feinstein and Boxer as well, using
snailmail.

Note - You can use Internet addresses to reach these folks through
the major online services and several BBS networks such as FIDO.
(Ask your Sysop/Customer Service representative how.)

You might contact the marketing departments at several computer
makers and tell them that you won't buy anything with Skipjack built
into it. This will give their lobbyists incentive to keep pushing.

Digital encryption that Works!

DES (Digital Encryption Standard) is an old "government standard".
There are known methods of cracking DES, even if the "backdoor"
widely believed to have been put in doesn't exist. I regard DES as
something for "keeping honest people honest". For instance, if you've
got a laptop, you might want a DES-encrypted hard drive.

While reading your encoded hard drive contents isn't impossible for
the government or well-funded private investigative organizations,
it will keep a thief out of the data on your hard disk, and the
person who he sells it to, out of your secrets. DES isn't taken
seriously by people outside of government. Companies generally use
DES only when forced to, and this is one reason Skipjack is being
promoted.

RSA

The current standard adopted by non-government organizations is the
RSA public key/private key digital encryption system. Rumor has it
that the US government uses it for discussing classified information.
Can the NSA crack RSA? The consensus is that no organization or
individual without facilities comparable to the NSA has a believable
chance of cracking it. I can live with that. This is real security
available to every computer user.

How RSA Works

As a user, you buy an RSA-based software package and generate a
public key/private key pair. You give the public key to anybody who
might conceivably want to send you confidential information.
Messages are encoded with your public key and decoded with your
private (secret) key. You do not show your private key to anybody
without a court order. You treat a private key like a password or
your own house key.

PGP

The most commonly available program for RSA encryption is called
PGP, for Pretty Good Privacy. There are two versions.
(A lot has happened since this article, so please
visit www.pgp.com for
PGP software information. Too bad PGP was bought out by a dumb big company.)

Freeware PGP

RSA Inc., owner of the RSA patents, has made a freeware version of
PGP for DOS, and it has been ported to the Mac and Atari. The
generic C source code is available to compile for Unix, VAX, etc.
Tens of thousands of people use the freeware version of PGP daily.
This is for educational - noncommercial - personal use.
You can get PGP on many BBSs and several Internet sites, including:
ftp://garbo.uwasa.fi/pub/pc/crypt/pgp23A.zip (for non-programmers)
ftp://garbo.uwasa.fi/pub/pc/crypt/pgp23srcA.zip (source code
version, in generic C)

Commercial PGP

ViaCrypt is a RSA-licensed commercial PGP program available from
ViaCrypt in Phoenix, AZ. Viacrypt is DOS-only at this point. It is
completely interoperable with the freeware PGP, so users of this
program can send and receive crypto messages from any user of the
freeware versions of PGP. It costs $98 (single-user price). For
commercial business encryption purposes, there is nothing better at
a comparable price. (Update, visit
www.pgp.com)

Controversy

Although PGP is controversial, many corporations and private
individuals use it. For discussion of the controversial legal
issues, read the user documentation in the file archives; or if
you've got Usenet access, read the messages in alt.security.pgp.
The only thing that everybody agrees you cannot do with PGP, is to
legally export it beyond US borders, because our government is under
the delusion that the US has a monopoly on encryption technology.

The fact that current versions of freeware PGP are produced in
Europe is of no interest to the government. If you import PGP from
a European site, do not email a copy to a friend outside the US, or
make it available for anon-ftp on your system, unless you can
restrict distribution to US-only. Make your international friends
ftp the file themselves from a non-US site.